I am developing Webcenter Portal application with Webcenter 184.108.40.206.
We use People Connections message wall taskflow and noticed that it doesn't filter user input against script injection. For example, one can enter , script > alert('something'); < /script > and click publish. When message wall will be displayed for the next time - this alert window will appear. This is an obvious security flaw, is there any way to avoid it?
As far as I know we can only customize visualization, not implementation of webcenter taskflows?
I'm not sure but can you take a look at how the messages are rendered in the taskflow.
when they are rendered by an outputText, normally you can escape these things by setting escape="true" which is the default. THis means that if there is no explicit escape attriubte, it should escape by default and the issue should be found somewhere else.
I would also recommend opening a SR because this needs to be fixed!
Entered customization role, set escape to "true", it solves the problem, now injected script content is being displayed as text, but it is certainly better than script injection
I wonder why Oracle had set it explicitly to escape="false" in this taskflow.